Kippo attack heatmap in seconds using Kibana and Kippo2ElasticSearch

Continuing from my previous post, here is how to create an attack heat map in seconds using the same ElasticSearch + Kibana instance. First of all we have to download Maxmind’s GeoIP database. The general procedure is super easy (no need to do it):

wget -N
gunzip GeoIP.dat.gz

This will output a single GeoIP.dat file which is a binary format with IP to geolocation data mappings which you can query using an API. The Python version of the latter is easily installable via pip (do this):

pip install GeoIP

Bear in mind that you’ll probably get the “clang: error: unknown argument” failure message but fear not; I have written the solution here if you need it:

We then have to modify the script I posted a little bit, in order to save the two letter country code in the JSON documents before indexing them in ElasticSearch. I have actually decided to pursue this project and publish the (poorly written at this stage, serving as an example) code properly. So just get the Kippo2ElasticSearch files from GitHub:

git clone

It includes the GeoIP database, no need to get it yourself. Edit the MySQL and ES values and you’re ready. After importing the data to ElasticSearch, open Kibana and add a new map panel:

kibana_kippo_map_1And voilà, scroll down and you’ll have a heatmap of attacks:

kibana_kippo_map_2Do you really need more convincing about the prospects of a project combing honeypots with ElasticSearch + Kibana? 🙂

For comments, suggestions, fixes, please use the Kippo2ElasticSearch page:


2 pings

    • Craig Valli on April 23, 2014 at 3:33 PM
    • Reply

    yep my thoughts exactly very capable and could provide a good frontend for monitoring multiple kippo instances

    1. Hello Craig! Right, and if you check out the latest version of the script, i.e. the Kibana dashboard, you can differentiate between sensors/instances easily.

  1. […] Security Bloggers Network, Ion, […]

  2. […] blog, you would have seen my first attempts at transferring Kippo’s data to ElasticSearch, or creating Kibana dashboards to visualize SSH attacks. These eventually led to the Kippo2ElasticSearch script, a simple way to transfer your logged Kippo […]

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Read previous post:
Transferring Kippo’s data to ElasticSearch

I have been investigating ElasticSearch and Kibana for some projects lately and I've come to appreciate the easiness of using...